feat(rm): implement one-file-system check for safe recursive removal

shskwmt · shskwmt · commit 351e8b2d73ce · 2026-01-30T00:10:04.000+09:00
- Track device IDs (st_dev) during safe directory traversal to respect
  `--one-file-system` and `--preserve-root=all` options.
- Pass the parent device ID through recursive calls in `safe_remove_dir_recursive_impl`.
- Refactor `show_one_fs_error` into a reusable function to unify error reporting.
- Ensure the parent directory is not removed if any child removal fails or is skipped.
diff --git a/src/uu/rm/src/platform/unix.rs b/src/uu/rm/src/platform/unix.rs
@@ -11,6 +11,7 @@ use indicatif::ProgressBar;
 use std::ffi::OsStr;
 use std::fs;
 use std::io::{IsTerminal, stdin};
+use std::os::unix::fs::MetadataExt;
 use std::os::unix::fs::PermissionsExt;
 use std::path::Path;
 use uucore::display::Quotable;
@@ -21,9 +22,9 @@ use uucore::show_error;
 use uucore::translate;
 
 use super::super::{
-    InteractiveMode, Options, is_dir_empty, is_readable_metadata, prompt_descend, remove_file,
-    show_permission_denied_error, show_removal_error, verbose_removed_directory,
-    verbose_removed_file,
+    InteractiveMode, Options, PreserveRoot, is_dir_empty, is_readable_metadata, prompt_descend,
+    remove_file, show_one_fs_error, show_permission_denied_error, show_removal_error,
+    verbose_removed_directory, verbose_removed_file,
 };
 
 #[inline]
@@ -279,11 +280,11 @@ pub fn safe_remove_dir_recursive(
 ) -> bool {
     // Base case 1: this is a file or a symbolic link.
     // Use lstat to avoid race condition between check and use
-    let initial_mode = match fs::symlink_metadata(path) {
+    let (initial_mode, initial_dev) = match fs::symlink_metadata(path) {
         Ok(metadata) if !metadata.is_dir() => {
             return remove_file(path, options, progress_bar);
         }
-        Ok(metadata) => metadata.permissions().mode(),
+        Ok(metadata) => (metadata.permissions().mode(), metadata.dev()),
         Err(e) => {
             return show_removal_error(e, path);
         }
@@ -309,7 +310,7 @@ pub fn safe_remove_dir_recursive(
         }
     };
 
-    let error = safe_remove_dir_recursive_impl(path, &dir_fd, options);
+    let error = safe_remove_dir_recursive_impl(path, &dir_fd, options, Some(initial_dev));
 
     // After processing all children, remove the directory itself
     if error {
@@ -346,7 +347,12 @@ pub fn safe_remove_dir_recursive(
 }
 
 #[cfg(not(target_os = "redox"))]
-pub fn safe_remove_dir_recursive_impl(path: &Path, dir_fd: &DirFd, options: &Options) -> bool {
+pub fn safe_remove_dir_recursive_impl(
+    path: &Path,
+    dir_fd: &DirFd,
+    options: &Options,
+    parent_dev: Option<u64>,
+) -> bool {
     // Read directory entries using safe traversal
     let entries = match dir_fd.read_dir() {
         Ok(entries) => entries,
@@ -380,11 +386,22 @@ pub fn safe_remove_dir_recursive_impl(path: &Path, dir_fd: &DirFd, options: &Opt
         let is_dir = ((entry_stat.st_mode as libc::mode_t) & libc::S_IFMT) == libc::S_IFDIR;
 
         if is_dir {
+            if options.one_fs || options.preserve_root == PreserveRoot::YesAll {
+                if let Some(p_dev) = parent_dev {
+                    if entry_stat.st_dev as u64 != p_dev {
+                        show_one_fs_error(&entry_path, options);
+                        error = true;
+                        continue;
+                    }
+                }
+            }
+
             // Ask user if they want to descend into this directory
             if options.interactive == InteractiveMode::Always
                 && !is_dir_empty(&entry_path)
                 && !prompt_descend(&entry_path)
             {
+                error = true;
                 continue;
             }
 
@@ -408,25 +425,35 @@ pub fn safe_remove_dir_recursive_impl(path: &Path, dir_fd: &DirFd, options: &Opt
                 }
             };
 
-            let child_error = safe_remove_dir_recursive_impl(&entry_path, &child_dir_fd, options);
-            error |= child_error;
+            let child_error = safe_remove_dir_recursive_impl(
+                &entry_path,
+                &child_dir_fd,
+                options,
+                Some(entry_stat.st_dev as u64)
+            );
+
+            // If a child could not be removed, the parent directory cannot be removed either.
+            if child_error {
+                error = true;
+                continue;
+            }
 
             // Ask user permission if needed for this subdirectory
-            if !child_error
-                && options.interactive == InteractiveMode::Always
+            if options.interactive == InteractiveMode::Always
                 && !prompt_dir_with_mode(&entry_path, entry_stat.st_mode as libc::mode_t, options)
             {
+                error = true;
                 continue;
             }
 
             // Remove the now-empty subdirectory using safe unlinkat
-            if !child_error {
-                error |= handle_unlink(dir_fd, entry_name.as_ref(), &entry_path, true, options);
-            }
+            error |= handle_unlink(dir_fd, entry_name.as_ref(), &entry_path, true, options);
         } else {
             // Remove file - check if user wants to remove it first
             if prompt_file_with_stat(&entry_path, &entry_stat, options) {
                 error |= handle_unlink(dir_fd, entry_name.as_ref(), &entry_path, false, options);
+            } else {
+                error = true;
             }
         }
     }
@@ -435,7 +462,12 @@ pub fn safe_remove_dir_recursive_impl(path: &Path, dir_fd: &DirFd, options: &Opt
 }
 
 #[cfg(target_os = "redox")]
-pub fn safe_remove_dir_recursive_impl(_path: &Path, _dir_fd: &DirFd, _options: &Options) -> bool {
+pub fn safe_remove_dir_recursive_impl(
+    _path: &Path,
+    _dir_fd: &DirFd,
+    _options: &Options,
+    _parent_dev: Option<u64>,
+) -> bool {
     // safe_traversal stat_at is not supported on Redox
     // This shouldn't be called on Redox, but provide a stub for compilation
     true // Return error
diff --git a/src/uu/rm/src/rm.rs b/src/uu/rm/src/rm.rs
@@ -586,21 +586,25 @@ fn is_writable_metadata(_metadata: &Metadata) -> bool {
     true
 }
 
+pub(crate) fn show_one_fs_error(path: &Path, options: &Options) {
+    show_error!(
+        "skipping {}, since it's on a different device",
+        path.quote()
+    );
+
+    if !options.one_fs && options.preserve_root == PreserveRoot::YesAll {
+        show_error!("and --preserve-root=all is in effect");
+    }
+}
+
 /// Helper function to check fs and report errors if necessary.
 /// Returns true if the operation should be skipped/returned (i.e., on error).
 fn check_and_report_one_fs(path: &Path, options: &Options) -> bool {
     if let Err(additional_reason) = check_one_fs(path, options) {
         if !additional_reason.is_empty() {
             show_error!("{}", additional_reason);
         }
-        show_error!(
-            "skipping {}, since it's on a different device",
-            path.quote()
-        );
-
-        if options.preserve_root == PreserveRoot::YesAll {
-            show_error!("and --preserve-root=all is in effect");
-        }
+        show_one_fs_error(path, options);
 
         return true;
     }
